From b03ea68d492af634c2ca5137ba07f89047e46880 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Bauer?= Date: Fri, 22 Dec 2017 16:51:31 +0100 Subject: [PATCH] switched to certbot command in nginx & apache ssl example configs --- contrib/apache2/zammad_ssl.conf | 22 ++-- contrib/nginx/zammad_ssl.conf | 200 ++++++++++++++++---------------- 2 files changed, 106 insertions(+), 116 deletions(-) diff --git a/contrib/apache2/zammad_ssl.conf b/contrib/apache2/zammad_ssl.conf index 1e11a9d05..ac878b6bb 100644 --- a/contrib/apache2/zammad_ssl.conf +++ b/contrib/apache2/zammad_ssl.conf @@ -1,33 +1,26 @@ # -# this is an example nginx config for zammad with free letsencrypt.org ssl certificates +# this is an example apache 2.4 config for zammad with free letsencrypt.org ssl certificates # replace all occurrences of example.com with your domain -# when creating letsencrypt certificates the first time comment out the https parts in the config or nginx will not start -# create letsencrypt certificate by: /usr/bin/letsencrypt certonly --rsa-key-size 4096 --duplicate --text --webroot-path /var/www/html/ --webroot -d example.com -d www.example.com +# create letsencrypt certificate by: certbot certonly --webroot -w /var/www/html -d www.example.com # create dhparam.pem by: openssl dhparam -out /etc/ssl/dhparam.pem 4096 # download x3 certificate by: wget -q https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -P /etc/ssl # you can test your ssl configuration @ https://www.ssllabs.com/ssltest/analyze.html # -# -# this is the apache config for zammad -# - - # replace 'localhost' with your fqdn if you want to use zammad from remote - ServerName your.domain.name - Redirect permanent / https://your.domain.name + ServerName example.com + Redirect permanent / https://example.com SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH - SSLCertificateFile /etc/letsencrypt/live/your.domain.name/cert.pem - SSLCertificateKeyFile /etc/letsencrypt/live/your.domain.name/privkey.pem - SSLCertificateChainFile /etc/letsencrypt/live/your.domain.name/chain.pem - SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparam.pem + SSLCertificateFile /etc/letsencrypt/live/example.com-0000/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/example.com-0000/privkey.pem SSLCertificateChainFile /etc/ssl/lets-encrypt-x3-cross-signed.pem + SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparam.pem # replace 'localhost' with your fqdn if you want to use zammad from remote ServerName localhost @@ -65,5 +58,4 @@ Options FollowSymLinks Require all granted - diff --git a/contrib/nginx/zammad_ssl.conf b/contrib/nginx/zammad_ssl.conf index 316d65287..331f74c61 100644 --- a/contrib/nginx/zammad_ssl.conf +++ b/contrib/nginx/zammad_ssl.conf @@ -1,145 +1,143 @@ # # this is an example nginx config for zammad with free letsencrypt.org ssl certificates # replace all occurrences of example.com with your domain -# when creating letsencrypt certificates the first time comment out the https parts in the config or nginx will not start -# create letsencrypt certificate by: /usr/bin/letsencrypt certonly --rsa-key-size 4096 --duplicate --text --webroot-path /var/www/html/ --webroot -d example.com -d www.example.com +# create letsencrypt certificate by: certbot certonly --webroot -w /var/www/html -d www.example.com # create dhparam.pem by: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096 # download x3 certificate by: wget -q https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -P /etc/nginx/ssl # you can test your ssl configuration @ https://www.ssllabs.com/ssltest/analyze.html # upstream zammad { - server localhost:3000; + server localhost:3000; } upstream zammad-websocket { - server localhost:6042; + server localhost:6042; } server { - listen 80; - listen [::]:80; + listen 80; + listen [::]:80; - server_name example.com www.example.com; + server_name example.com www.example.com; - access_log /var/log/nginx/example.com.access.log; - error_log /var/log/nginx/example.com.error.log; + access_log /var/log/nginx/example.com.access.log; + error_log /var/log/nginx/example.com.error.log; - location /.well-known/ { - root /var/www/html; - } - - location / { - rewrite ^/(.*)$ https://www.example.com/$1 permanent; - } -} - - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name example.com; - - ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem; - ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - - ssl_ciphers HIGH:!aNULL:!MD5; - - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - - ssl_prefer_server_ciphers on; - - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 180m; - - ssl_stapling on; - ssl_stapling_verify on; - - ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem; - - resolver 8.8.8.8 8.8.4.4; - - add_header Strict-Transport-Security "max-age=31536000" always; - - access_log /var/log/nginx/example.com.access.log; - error_log /var/log/nginx/example.com.error.log; + location /.well-known/ { + root /var/www/html; + } + location / { rewrite ^/(.*)$ https://www.example.com/$1 permanent; + } +} + + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name example.com; + + ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + + ssl_ciphers HIGH:!aNULL:!MD5; + + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + ssl_prefer_server_ciphers on; + + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 180m; + + ssl_stapling on; + ssl_stapling_verify on; + + ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem; + + resolver 8.8.8.8 8.8.4.4; + + add_header Strict-Transport-Security "max-age=31536000" always; + + access_log /var/log/nginx/example.com.access.log; + error_log /var/log/nginx/example.com.error.log; + + rewrite ^/(.*)$ https://www.example.com/$1 permanent; } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl http2; + listen [::]:443 ssl http2; - server_name www.example.com; + server_name www.example.com; - ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem; - ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem; + ssl_certificate /etc/nginx/ssl/example.com-fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/example.com-privkey.pem; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5; + ssl_ciphers HIGH:!aNULL:!MD5; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; - ssl_prefer_server_ciphers on; + ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 180m; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 180m; - ssl_stapling on; - ssl_stapling_verify on; + ssl_stapling on; + ssl_stapling_verify on; - ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem; + ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem; - resolver 8.8.8.8 8.8.4.4; + resolver 8.8.8.8 8.8.4.4; - add_header Strict-Transport-Security "max-age=31536000" always; + add_header Strict-Transport-Security "max-age=31536000" always; - location = /robots.txt { - access_log off; log_not_found off; - } + location = /robots.txt { + access_log off; log_not_found off; + } - location = /favicon.ico { - access_log off; log_not_found off; - } + location = /favicon.ico { + access_log off; log_not_found off; + } - root /opt/zammad/public; + root /opt/zammad/public; - access_log /var/log/nginx/example.com.access.log; - error_log /var/log/nginx/example.com.error.log; + access_log /var/log/nginx/example.com.access.log; + error_log /var/log/nginx/example.com.error.log; - client_max_body_size 50M; + client_max_body_size 50M; - location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) { - expires max; - } + location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) { + expires max; + } - location /ws { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header CLIENT_IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 86400; - proxy_pass http://zammad-websocket; - } + location /ws { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 86400; + proxy_pass http://zammad-websocket; + } - location / { - proxy_set_header Host $http_host; - proxy_set_header CLIENT_IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 300; - proxy_pass http://zammad; - - gzip on; - gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; - gzip_proxied any; - } + location / { + proxy_set_header Host $http_host; + proxy_set_header CLIENT_IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 300; + proxy_pass http://zammad; + gzip on; + gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml; + gzip_proxied any; + } }